Bug 1264005 - when dropping privileges secondary user groups are not loaded [NEEDINFO]
when dropping privileges secondary user groups are not loaded
Product: Fedora EPEL
Classification: Fedora
Component: mock (Show other bugs)
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Suchý
Fedora Extras Quality Assurance
Depends On:
Blocks: 1292556
  Show dependency treegraph
Reported: 2015-09-17 06:05 EDT by Lukas Herbolt
Modified: 2016-08-08 20:08 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
dwysocha: needinfo? (williams)

Attachments (Terms of Use)
data for reproducer (23.68 KB, application/x-gzip)
2015-09-17 06:05 EDT, Lukas Herbolt
no flags Details

  None (edit)
Description Lukas Herbolt 2015-09-17 06:05:29 EDT
Created attachment 1074381 [details]
data for reproducer

Description of problem:
When mock drops privileges it loads only primary group and UID of the user and over
os.setgroups() loads only mockgig  

Version-Release number of selected component (if applicable):
Installed Packages
Name        : mock
Arch        : noarch
Version     : 1.2.12
Release     : 1.el7
Size        : 952 k
Repo        : installed
From repo   : epel

How reproducible:
Well this is an issue if you are going to use mock via retrace server.

Steps to Reproduce:
1. Download attached package 
2. Change owner to be different from your user
3. Change group to be some different from your primary group, bu you must be member of the group

4. ensure all dirs and files have access rights 770
5 run: /usr/bin/mock --configdir <path to the mock config dir> shell

Actual results:

ERROR: Could not find required config file: <path to the config>
ERROR:   Did you forget to specify the chroot to use with '-r'?
ERROR:   If you're trying to specify a path, include the .cfg extension, e.g. -r ./target.cfg

Expected results:

mock chrooted shell 

Additional info:
As written in description.
We are switching from UID/GID 0/0 to USERHELPER_UID. (sudo is not used anymore imho)
UID is correctly recognized as int(os.environ['USERHELPER_UID']).
GID is fine as well, but as other groups we set only mockgid.
We should also append users secondary groups.

def setup_uid_manager(mockgid):
    #import pdb; pdb.set_trace()
    unprivUid = os.getuid()
    unprivGid = os.getgid()

    # sudo
    if os.environ.get("SUDO_UID") is not None:
        unprivUid = int(os.environ['SUDO_UID'])
        unprivGid = int(os.environ['SUDO_GID'])

    # consolehelper
    if os.environ.get("USERHELPER_UID") is not None:
        unprivUid = int(os.environ['USERHELPER_UID'])
        os.setgroups((mockgid,))   <<<< 
        unprivGid = pwd.getpwuid(unprivUid)[3]

    uidManager = mockbuild.uid.UidManager(unprivUid, unprivGid)
    return uidManager
Something like could be nice (the primary group is listed but it could be removed easily):

>>> user= "lherbolt"
>>> [g.gr_name for g in grp.getgrall() if user in g.gr_mem]

Note You need to log in before you can comment on or make changes to this bug.